diff --git a/manifests/modules/security/secrets-manager/deployment copy.yaml b/manifests/modules/security/secrets-manager/deployment copy.yaml new file mode 100644 index 000000000..4c2c6cf37 --- /dev/null +++ b/manifests/modules/security/secrets-manager/deployment copy.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: catalog +spec: + template: + spec: + containers: + - name: catalog + env: + - name: DB_USER + valueFrom: + secretKeyRef: + name: catalog-sealed-db + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: catalog-sealed-db diff --git a/manifests/modules/security/secrets-manager/kustomization copy.yaml b/manifests/modules/security/secrets-manager/kustomization copy.yaml new file mode 100644 index 000000000..8e63958a0 --- /dev/null +++ b/manifests/modules/security/secrets-manager/kustomization copy.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../../../base-application/catalog +patches: +- deployment.yaml diff --git a/manifests/modules/security/secrets-manager/new-catalog-db copy.yaml b/manifests/modules/security/secrets-manager/new-catalog-db copy.yaml new file mode 100644 index 000000000..4079b8444 --- /dev/null +++ b/manifests/modules/security/secrets-manager/new-catalog-db copy.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: catalog-sealed-db + namespace: catalog +type: Opaque +data: + password: ZGVmYXVsdF9wYXNzd29yZA== + username: Y2F0YWxvZ191c2Vy diff --git a/website/docs/security/assets/managed-nodegroups.png b/website/docs/security/assets/managed-nodegroups.png new file mode 100644 index 000000000..8314eb89c Binary files /dev/null and b/website/docs/security/assets/managed-nodegroups.png differ diff --git a/website/docs/security/assets/selfmanaged-nodegroups.png b/website/docs/security/assets/selfmanaged-nodegroups.png new file mode 100644 index 000000000..ea222cc8f Binary files /dev/null and b/website/docs/security/assets/selfmanaged-nodegroups.png differ diff --git a/website/docs/security/index.md b/website/docs/security/index.md index 229dba020..3a824844b 100644 --- a/website/docs/security/index.md +++ b/website/docs/security/index.md @@ -9,4 +9,5 @@ Security at AWS is the highest priority, and is a shared responsibility between In this chapter, we'll explore various aspects of Amazon EKS related to security. To learn more about security with EKS refer to the [EKS Best Practices Guide](https://aws.github.io/aws-eks-best-practices/security/docs/). -![Shared Responsibility](assets/shared-responsibility.jpg) +![Shared Responsibility](assets/managed-nodegroups.png) +![Shared Responsibility](assets/selfmanaged-nodegroups.png) diff --git a/website/docs/security/secrets-management/secrets-manager/assets/choose-type.png b/website/docs/security/secrets-management/secrets-manager/assets/choose-type.png new file mode 100644 index 000000000..bb6820cb8 Binary files /dev/null and b/website/docs/security/secrets-management/secrets-manager/assets/choose-type.png differ diff --git a/website/docs/security/secrets-management/secrets-manager/assets/configure-secret.png b/website/docs/security/secrets-management/secrets-manager/assets/configure-secret.png new file mode 100644 index 000000000..911386f33 Binary files /dev/null and b/website/docs/security/secrets-management/secrets-manager/assets/configure-secret.png differ diff --git a/website/docs/security/secrets-management/secrets-manager/assets/store-new-secret.png b/website/docs/security/secrets-management/secrets-manager/assets/store-new-secret.png new file mode 100644 index 000000000..30051c66b Binary files /dev/null and b/website/docs/security/secrets-management/secrets-manager/assets/store-new-secret.png differ diff --git a/website/docs/security/secrets-management/secrets-manager/create-secret.md b/website/docs/security/secrets-management/secrets-manager/create-secret.md index e69de29bb..febca444f 100644 --- a/website/docs/security/secrets-management/secrets-manager/create-secret.md +++ b/website/docs/security/secrets-management/secrets-manager/create-secret.md @@ -0,0 +1,39 @@ +--- +title: "Storing secrets in AWS Secrets Manager" +sidebar_position: 63 +--- + +To store a secret in AWS Secrets Manager, you can either use the AWS Console or the AWS CLI. We will cover both scenarios below. + +### AWS Console + +If you choose to use the AWS Console, navigate to the [AWS Secrets Manager Console](https://console.aws.amazon.com/secretsmanager/landing), an click on the **Store a new Secret** orange button, on the right hand side of the screen. + +![store-new-secret](./assets/store-new-secret.png) + +In the first screen *Choose secret type*, select *Other type of secret*, fill the *Key/value pairs* as shown below an click **Next**. + +![choose-type](./assets/choose-type.png) + + +In the second screen *Configure secret*, type the secret name, and click **Store**. + +![configure-secret](./assets/configure-secret.png) + + +Leave the rest of the configuration with the default values, then click **Create**. + +### AWS CLI + +If you prefere to use the AWS CLI, run the command like the example below in you Cloud9 Environment. + +```bash +$ aws secretsmanager create-secret --name "eks-workshop/static-secret" --secret-string '{"username":"testdb_user", "password":"super-sekret"}' --region $AWS_REGION +{ + "ARN": "arn:aws:secretsmanager:$AWS_REGION:$AWS_ACCOUNT_ID:secret:eks-workshop/static-secret-ABCdef", + "Name": "eks-workshop/static-secret", + "VersionId": "7e0b352d-6666-4444-aaaa-cec1f1d2df1b" +} +``` + +Validate the new stored secret in the [AWS Secrets Manager Console](https://console.aws.amazon.com/secretsmanager/listsecrets) diff --git a/website/docs/security/secrets-management/secrets-manager/configure-eks-cluster.md b/website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md similarity index 91% rename from website/docs/security/secrets-management/secrets-manager/configure-eks-cluster.md rename to website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md index 0b0d36bd3..095c10fc0 100644 --- a/website/docs/security/secrets-management/secrets-manager/configure-eks-cluster.md +++ b/website/docs/security/secrets-management/secrets-manager/validate-eks-cluster.md @@ -3,7 +3,7 @@ title: "Validating AWS Secrets and Configuration Provider (ASCP)" sidebar_position: 62 --- -If you ran the `prepare-environment` script detailed in the [previous step](index.md), it has already installed the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver that's required for this lab. +If you ran the `prepare-environment` script detailed in the [previous step](./index.md), it has already installed the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver that's required for this lab. Lets then, validate if the addons deployed.